000033762 - How to configure an ECAT syslog feed into RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 22, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033762
Applies ToRSA Product Set: ECAT, Security Analytics
RSA Version/Condition: 4.1.2, 4.2.0, 10.6.x
Platform: Windows
O/S Version: 2008 Server R2, 2012 Server
Product Name: RSA Netwitness Endpoint
IssueIt is sometimes desirable to add a feed into Security Analytics (RSA NetWitness Logs and Packets) for gathering additional information.
TasksConfigure the ECAT Server with the SA details
Configure the log decoder custom table map
Configure the log concentrator index concentrator custom table
Resolution
Procedure

Perform the following steps to configure this integration:
  1. Deploy the required parser (CEF or ECAT) to the Log Decoder as described in Manage Live Resources.
  2. Only use one of these parsers. When the CEF parser is deployed, it supersedes the ECAT parser, and all CEF messages into Security Analytics are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.
  3. Configure ECAT to send syslog output to Security Analytics and generate ECAT alerts to the Log Decoder.
  4. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to Security Analytics.
Configure ECAT to Send Syslog Output to Security Analytics

To add the Log Decoder as a Syslog external component and generate ECAT alerts to the Log Decoder:
 
For ECAT version 4.1.2
  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar select Configure > Monitoring and External Components
The External Components Configuration dialog is displayed.
User-added image

  1. In SYSLOG Server, click +.
The SYSLOG Server dialog is displayed.
User-added image

  1. Complete the fields required to enable Syslog messaging:
    On = A descriptive name for the Log Decoder
    Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
    Port = 514
    Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.
User-added image
  1. Click Save.
  2. Click Instant IOCs and change the settings to make them alertable. When the instant IOCs are triggered, Syslog alerts from the ECAT server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

  1. Log on to Security Analytics and navigate to Administration > Services.
  2. Select a Log Decoder from the list, and select View > Config.
  3. Select the Files tab, and from the Files to Edit pull-down menu, select table-map-custom.xml.
  4. Add the ECAT meta keys from the attached file Table Map Metakeys to the file and click Apply.
  5. Restart the Concentrator.
Configure the Security Analytics Concentrator Service
  1. Log on to Security Analytics and navigate to Administration > Services.
  2. Select a concentrator from the list, and select View > Config.
  3. Select the Files tab, and from the Files to Edit pull-down menu, select index-concentrator-custom.xml.
  4. Add the ECAT meta keys from the attached file Index Custom Metakeys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  5. Restart the Concentrator.

     



Notes


Result

Analysts can:


  • Create Security Analytics alerts based on ECAT events by configuring ECAT events as an enrichment source.
  • Create ESA rules using ECAT meta as described in Add Rules to the Rules Library.
  • Report on ECAT events using ECAT meta as described in Rules.
  • View ECAT alerts in Incident Management as described in Alerts View.
  • View ECAT meta keys in Investigation along with standard SA core meta keys as described in Conduct an Investigation.
See additional references here where this issue has been documented previously:
https://inside.emc.com/docs/DOC-220846
Official documentation for integrations can be found in the related doc here:
https://community.rsa.com/docs/DOC-1379

    Outcomes